I have installed SSL certificate for 2 domains:
1st domain
# renew_before_expiry = 30 days
version = 0.17.0
archive_dir = /etc/letsencrypt/archive/kotronis-plastics.gr
cert = /etc/letsencrypt/live/kotronis-plastics.gr/cert.pem
privkey = /etc/letsencrypt/live/kotronis-plastics.gr/privkey.pem
chain = /etc/letsencrypt/live/kotronis-plastics.gr/chain.pem
fullchain = /etc/letsencrypt/live/kotronis-plastics.gr/fullchain.pem
# Options used in the renewal process
[renewalparams]
authenticator = webroot
installer = apache
account = account_Id...
[[webroot_map]]
www.kotronis-plastics.gr = /var/www/html/mysite
kotronis-plastics.gr = /var/www/html/mysite
2nd domain
# renew_before_expiry = 30 days
version = 0.17.0
archive_dir = /etc/letsencrypt/archive/scti.gr
cert = /etc/letsencrypt/live/scti.gr/cert.pem
privkey = /etc/letsencrypt/live/scti.gr/privkey.pem
chain = /etc/letsencrypt/live/scti.gr/chain.pem
fullchain = /etc/letsencrypt/live/scti.gr/fullchain.pem
# Options used in the renewal process
[renewalparams]
authenticator = standalone
installer = apache
account = account_Id...
pre_hook = apachectl -k stop
post_hook = apachectl -k start
and I want to edit the renewal parameters of the 2nd certificate and set the same [renewalparams] as the 1st one.
If I edit the file /etc/letsencrypt/renewal/scti.gr.conf
directly, will I mess my system? If yes, which is the right way to do this?
Thank you!
My domain is: www.scti.gr
My web server is (include version): Apache
The operating system my web server runs on is (include version): ubuntu 16.04
I can login to a root shell on my machine: yes
_az
June 25, 2018, 10:53am
2
You can absolutely change entries under [renewalparams]
and it should work, as long as the changes make sense.
If you want to be totally safe, you can also just run the Certbot command for that domain that matches your intent, and Certbot will overwrite the renewal parameters for you.
e.g.
certbot -d scti.gr -d www.scti.gr -a webroot -i apache -w /var/www/xxx
1 Like
thanks for the quick reply! Just to be sure, If I just run only the command from root:
certbot -d scti.gr -d www.scti.gr -a webroot -i apache -w /var/www/html/scti-site
I will be ok?
_az
June 25, 2018, 10:58am
4
Yes. It will probably ask you if you want to re-install the existing certificate, in which case, answer yes.
After you do that, the renewal parameters should be updated (I think).
Edit: actually, it seems like you have more domains on that certificate:
DNS Name: kotronis-plastics.gr
DNS Name: scti.gr
DNS Name: www.kotronis-plastics.gr
DNS Name: www.scti.gr
Make sure you include all the domains you need, not just the ones I mentioned.
Maybe check
certbot certificates
to make sure that you’re not issuing a pointless certificate.
The certificate of kotronis-plastics.gr is the 1st domain that I mention in my question. My problem is that the statements in the 2nd domain:
pre_hook = apachectl -k stop
post_hook = apachectl -k start
cause problems (see this post ).
That’s why I want to edit the entries under [renewalparams]
of the 2nd domain (scti.gr) in order to be the same as the 1st. So running only the command:
certbot -d scti.gr -d www.scti.gr -a webroot -i apache -w /var/www/html/scti-site
shouldn’t be enough?
_az
June 25, 2018, 11:08am
6
It gives me pause because the certificate for kotronis-plastics.gr
appears to cover scti.gr
as well (all 4 names on one), which would make your second certificate redundant, and allow you to delete it.
For this reason I wanted you to check certbot certificates
.
ok! running the command: certbot certificates
I get this output:
-------------------------------------------------------------------------------
Found the following certs:
Certificate Name: scti.gr
Domains: www.kotronis-plastics.gr,kotronis-plastics.gr,scti.gr,www.scti.gr
Expiry Date: 2018-08-25 11:49:13+00:00 (VALID: 61 days)
Certificate Path: /etc/letsencrypt/live/scti.gr/fullchain.pem
Private Key Path: /etc/letsencrypt/live/scti.gr/privkey.pem
Certificate Name: kotronis-plastics.gr
Domains: kotronis-plastics.gr,www.kotronis-plastics.gr
Expiry Date: 2018-08-25 23:12:09+00:00 (VALID: 61 days)
Certificate Path: /etc/letsencrypt/live/kotronis-plastics.gr/fullchain.pem
Private Key Path: /etc/letsencrypt/live/kotronis-plastics.gr/privkey.pem
Certificate Name: mycloud.kotronis-plastics.com
Domains: mycloud.kotronis-plastics.com
Expiry Date: 2018-09-09 23:12:11+00:00 (VALID: 76 days)
Certificate Path: /etc/letsencrypt/live/mycloud.kotronis-plastics.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/mycloud.kotronis-plastics.com/privkey.pem
-------------------------------------------------------------------------------
The mycloud.kotronis-plastics.com
doesn’t exist and I should delete it…
Also, What I have done ? It seems I have 2 certs for the same domain?
In the folder /etc/letsencrypt/renewal
there are the files
kotronis-plastics.gr.conf
mycloud.kotronis-plastics.com.conf
scti.gr.conf
So, which certs should I delete?
_az
June 25, 2018, 11:24am
8
You have a bit of redundant certificate coverage, but you’re actually using two of the certificates, so you can’t delete them.
To fix your immediate problem, I would suggest doing what you originally intended, but with a slight adjustment:
certbot --apache -d scti.gr -d www.scti.gr
In the end you should have
Separate certificates for your two domains.
The scti.gr
certificate should no longer cover kotronis-plastics.gr
You won’t have the pre/post hooks anymore, and you’ll be using the Certbot Apache authenticator which automatically deals with the webroot and rewriting stuff.
For your non-existent domain:
certbot delete --cert-name mycloud.kotronis-plastics.com
Well, I run the commands
certbot --apache -d scti.gr -d www.scti.gr
certbot delete --cert-name mycloud.kotronis-plastics.com
no error came up. But then running the command certbot certificates
I get this output
-------------------------------------------------------------------------------
Found the following certs:
Certificate Name: scti.gr
Domains: www.kotronis-plastics.gr,kotronis-plastics.gr,scti.gr,www.scti.gr
Expiry Date: 2018-08-25 11:49:13+00:00 (VALID: 60 days)
Certificate Path: /etc/letsencrypt/live/scti.gr/fullchain.pem
Private Key Path: /etc/letsencrypt/live/scti.gr/privkey.pem
Certificate Name: kotronis-plastics.gr
Domains: kotronis-plastics.gr,www.kotronis-plastics.gr
Expiry Date: 2018-08-25 23:12:09+00:00 (VALID: 61 days)
Certificate Path: /etc/letsencrypt/live/kotronis-plastics.gr/fullchain.pem
Private Key Path: /etc/letsencrypt/live/kotronis-plastics.gr/privkey.pem
Certificate Name: scti.gr-0001
Domains: scti.gr,www.scti.gr
Expiry Date: 2018-09-23 11:52:04+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/scti.gr-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/scti.gr-0001/privkey.pem
-------------------------------------------------------------------------------
_az
June 26, 2018, 1:18am
10
Not quite what I had anticipated, but it should be fine.
Verify that your web server is no longer using /etc/letsencrypt/live/scti.gr/
(it’s now using the -0001
version) and then delete the old certificate/renewal parameters:
certbot delete --cert-name scti.gr
and you’re good to go.
Verify that your web server is no longer using /etc/letsencrypt/live/scti.gr/
In the folder /etc/apache2/sites-available
the configuration file scti.gr-le-ssl.conf
contains:
SSLCertificateFile /etc/letsencrypt/live/scti.gr-0001/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/scti.gr-0001/privkey.pem
I checked also that the kotronis-plastics.gr-le-ssl.conf
contains:
SSLCertificateFile /etc/letsencrypt/live/kotronis-plastics.gr/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/kotronis-plastics.gr/privkey.pem
These are the settings, where I should check to verify that the domains are using the rights certificates?
Also just to be sure if I run the command certbot delete --cert-name scti.gr
The Certificate Name: scti.gr will be deleted and both my domains (scti.gr, kotronis-plastics.gr) will be working?
Thank you a lot for your assistance!
_az
June 26, 2018, 5:36am
12
Looks good to me. A final paranoid check should have no results:
sudo grep -Ri "/etc/letsencrypt/live/scti.gr/" /etc/apache2/sites-available/
and you’re safe to run the delete
.
1 Like
No result came up from the grep..
command !
_az Thanks a lot for your help!
system
Closed
July 26, 2018, 5:41am
14
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.